Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
Redis cache store is now compatible with redis-rb 5.0.
Jean Boussier
Fix NoMethodError on custom ActiveSupport::Deprecation behavior.
ActiveSupport::Deprecation.behavior= was supposed to accept any object
that responds to call, but in fact its internal implementation assumed that
this object could respond to arity, so it was restricted to only Proc objects.
This change removes this arity restriction of custom behaviors.
Ryo Nakamura
Rails 7.0.3.1 (July 12, 2022)
No changes.
Rails 7.0.3 (May 09, 2022)
No changes.
Rails 7.0.2.4 (April 26, 2022)
Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of XML.
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ProgressiveCoders/progbot/network/alerts).
Bumps actionpack, activesupport, rails and audited. These dependencies needed to be updated together. Updates
actionpackfrom 6.1.7 to 7.0.4.1Release notes
Sourced from actionpack's releases.
... (truncated)
Changelog
Sourced from actionpack's changelog.
... (truncated)
Commits
23e0345Version 7.0.4.18d82687Avoid regex backtracking on If-None-Match headercd46b0eUse string#split instead of regex for domain partse50e26dFix sec issue with _url_host_allowed?8015c2cVersion 7.0.4f3c345eMerge pull request #45964 from jhawthorn/server_timing_safety4d25c64Merge pull request #45221 from jhawthorn/ac_params_eql_fix47cff40Format inline code [ci-skip]c5a407dLinkify code references [ci-skip]e874cf5Fix typos [ci-skip]Updates
activesupportfrom 6.1.7 to 7.0.4.1Release notes
Sourced from activesupport's releases.
... (truncated)
Changelog
Sourced from activesupport's changelog.
... (truncated)
Commits
23e0345Version 7.0.4.12164d4fAvoid regex backtracking in Inflector.underscore8015c2cVersion 7.0.4ff27758Revert "Merge pull request #44695 from Edouard-chin/ec-tagger-logger-broadcast"4a1f224Merge pull request #45882 from rails/short-inspect-on-test-casea3bd3b5Backport Redis 5.0 compatibility67f37acFix flaky tests for RedisCacheStorec520e38Document AS::Cache::MemCacheStore#write options [ci-skip]a74b650Document AS::Cache::Store#initialize options [ci-skip]f7a82bfDocument AS::Cache::Store#read options [ci-skip]Updates
railsfrom 6.1.7 to 7.0.4.1Release notes
Sourced from rails's releases.
... (truncated)
Commits
23e0345Version 7.0.4.1d7aba06Make sanitize_as_sql_comment more strict8d82687Avoid regex backtracking on If-None-Match header2164d4fAvoid regex backtracking in Inflector.underscorecd46b0eUse string#split instead of regex for domain partse50e26dFix sec issue with _url_host_allowed?82bcdc0Added integer width check to PostgreSQL::Quoting8015c2cVersion 7.0.4f3c345eMerge pull request #45964 from jhawthorn/server_timing_safetyff27758Revert "Merge pull request #44695 from Edouard-chin/ec-tagger-logger-broadcast"Updates
auditedfrom 4.10.0 to 5.1.0Changelog
Sourced from audited's changelog.
... (truncated)
Commits
16769b3Bump version503a689Run standardrb --fix729a35fFix old Rubies2b605cbImprove readme example for conditional auditing:a9dde82Remove https://hakiri.io link in README2f09bb8Update CHANGELOG9232a75Merge pull request #605 from jess/patch-171c52bcMerge pull request #621 from Crammaman/ignore_audit_combine_deadlock68c2413Merge pull request #630 from vlad-psh/filter-encrypted-attributes-automatically1bbc099Filter encrypted attributes automaticallyDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ProgressiveCoders/progbot/network/alerts).